This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question about webstart security access

 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My scenario is that we have multiple "kiosks" spread around. When the user logs in to the computer, the browser will launch and a webstart application will run. I choose webstart because of its versioning and caching ability, if i update the app or change the JRE requirements all that will be handled/downloaded automatically when the app launches. So the question i have is that this app is going to be requesting resources from the client machine. From my understanding I will need to provide a digital certificate and the client will have to accept this in order to proceed. So my question is how can i prevent the user from having to accept the certificate? Access to the webstart site is going to be restricted to just the kiosks in question, so users should not have the option to decline running the application and it should run will full privileges no matter what. Can something like this be doing using webstart technology? Given the location of the kiosks, building a standalone java application is not ideal for maintenance/upgrade purposes which is why launching over the web seemed like a better fit.
 
Martin Vajsar
Sheriff
Posts: 3752
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do your kiosks use just one user account for all users? If this is the case, perhaps you could just run the application for the first time on every kiosk yourself and in the process check the checkbox that says something like "Always trust contents from this publisher". The message should not appear again (at least until your certificate expires and you're forced to obtain a new one). At least this is how it works in my environment.

This actually adds the certificate into a user list of trusted certificates in the Java Control Panel. Even better way might be to add that certificate to a system list of trusted certificates. That might work for all users of the computer, actually. I suppose that installing the certificate this way could perhaps even be automated somehow, but I have no idea how that would be done.

I'd say you might try whether this is going to work in your environment (and make sure it works even when you deploy a new version of your software), and if it does, you might try to automate the setup as the next step.
 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, the first idea may work fine as long as i would not have to re-accept the certificate every time a new version of the JAR is released. If renewal is only needed when the cert expires then that can be tolerable. Though i will definitely look into how i can auto install the cert as that would be ideal.
My next question would be, since these kiosks are within our intranet for our own users there is no need to "buy" a certificate from Verisign for example. Would a self created dummy certificate created using the keytool program be considered a "trusted" certificate or would Java somehow reject that as not being a trust-able cert since its not official?
 
Martin Vajsar
Sheriff
Posts: 3752
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure whether you'll be able to install a self-signed certificate as a trusted one. I wouldn't be surprised if it wasn't actually possible. But this should be really easy to test -- creating a self-signed certificate is for free. Also, I'd suggest doing the tests with various versions of Java, especially with the latest one -- WebStart security in Java has been beefed up recently.
 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your help, just as an FYI after some looking around i found this

https://blogs.oracle.com/java-platform-group/entry/upcoming_exception_site_list_in

basically they did update the security measures to not allow self-signed certs as of Java 7u51. The workaround is that there is a new whitelist feature from the control panel that allows you to put in your sites URL that will ignore whether the cert is self-signed or not.
 
Paul Clapham
Sheriff
Posts: 21572
33
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Raymond Holguin wrote:basically they did update the security measures to not allow self-signed certs as of Java 7u51. The workaround is that there is a new whitelist feature from the control panel that allows you to put in your sites URL that will ignore whether the cert is self-signed or not.


I just had a look at the Java control panel to see that, because I hadn't noticed it before. The first level of workaround is that you have to set the security level to "Medium" if you want to be able to run self-signed applications at all. The default is "High", in which the application's certificate has to be from a trusted authority. (And "Very High" requires the certificate to not be expired.) My experience with the "Medium" level is that you have to approve the self-signed certificate every time you run the application.

As Raymond says, there is an "Exception Site List". I hacked around with that for a bit using a Webstart app which I use regularly, which has a self-signed certificate. The control panel says "Applications from the sites listed below will be allowed to run after the appropriate security prompts." Putting a self-signed application's location here allows you to run it even under "High" security, but you still have to approve it every time you run the application no matter what the security level is.
 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Paul. Currently as this project is in the design phase I don't have any built web start projects, otherwise i would be running all these tests myself. We are still trying to determine if web start is the best way to go. That being said, do you have any suggestions or input to whether its even possible to somehow prevent the security notice to appear? As I had mentioned earlier, every time a new user logs in the app will start fresh, so i don't want to have these warnings pop up every time. Would installing a certificate on each kiosk, as Martin had mentioned, be a solution? Any other ways?
 
Paul Clapham
Sheriff
Posts: 21572
33
Eclipse IDE Firefox Browser MySQL Database
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, subverting the security process is a non-starter. It may seem like a good goal to you but it's also a good goal to black-hat hackers, and therefore it isn't going to be feasible.

However if you're considering installing certificates on the kiosks, you might consider installing a Java application there instead of using Web Start. This would make the security issues go away entirely. It also makes some of the advantages of Web Start go away, but there's the trade-off.
 
Paul Clapham
Sheriff
Posts: 21572
33
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One more thing: I just noticed (via Google+) that Oracle has updated their document on Java Rich Internet Applications. Here's a link to the latest version: Java Rich Internet Applications Guide. There's a lot about security there, no doubt a lot which I'm not familiar with, and you might just manage to extract some information which allows you to deploy a Web Start application in the way you would like.
 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Very true, there are always trade-offs to consider. I may just have to build a small web start project and mess around with it to see how manageable it will be. The main issue is that if i do go standalone application, i will need a way to easily and quickly remotely manage updates of the application and maintenance, which is why web start was so appealing. thanks for your help, gave me things to consider.
 
Raymond Holguin
Ranch Hand
Posts: 82
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just for an update on this situation. I messed around a bit with the web start and certificates and you can indeed bypass the security warning. What I did was import the certificate that i signed my JAR file with into the "Signer CA" trusted certificates via the Java control panel. The first time I ran my app it gave a prompt if i Always wanted to trust apps from this cert. i said yes, and I don't get prompted anymore. If the user is prompted once every time i update the cert every couple years, I believe this will be acceptable for us.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic